Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0123 -- [Win] Multiple vulnerabilities in Trend Micro ServerProtect 21 February 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ServerProtect for Windows 5.58 ServerProtect for EMC 5.58 ServerProtect for Network Appliance Filer 5.61 ServerProtect for Network Appliance Filer 5.62 Publisher: TippingPoint Operating System: Windows Server 2003 Windows 2000 Windows NT Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-1070 Original Bulletin: http://www.tippingpoint.com/security/advisories/TSRT-07-01.html http://www.tippingpoint.com/security/advisories/TSRT-07-02.html Comment: This bulletin contains 2 advisories regarding vulnerabilities in Trend Micro ServerProtect. - --------------------------BEGIN INCLUDED TEXT-------------------- TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-07-01.html February 20, 2007 - -- CVE ID: CVE-2007-1070 - -- Affected Vendor: Trend Micro - -- Affected Products: ServerProtect for Windows 5.58 ServerProtect for EMC 5.58 ServerProtect for Network Appliance Filer 5.61 ServerProtect for Network Appliance Filer 5.62 - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by Digital Vaccine protection filter ID 5050. For further product information on the TippingPoint IPS: http://www.tippingpoint.com - -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities. The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information: // opcode: 0x00, address: 0x65741030 // uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c // version: 1.0 error_status_t rpc_opnum_0 ( [in] handle_t arg_1, [in] long trend_req_num, [in][size_is(arg_4)] byte overflow_str[], [in] long arg_4, [out][size_is(arg_6)] byte arg_5[], [in] long arg_6 ); The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x000a which results in a call to StRpcSrv.65673970(). The original arguments to the RPC endpoint are then passed to this called routine: 657416E6 mov eax, opnum0_call_table[eax*4] 657416ED test eax, eax 657416EF jnz short loc_65741707 ... 65741707 loc_65741707: 65741707 mov [ebp+var_4], 0 6574170E mov edx, [ebp+sizeof_arg5] 65741711 push edx 65741712 mov edx, [ebp+arg5_array] 65741715 push edx 65741716 mov edx, [ebp+sizeof_overflow_str] 65741719 push edx 6574171A mov edx, [ebp+overflow_str] 6574171D push edx 6574171E push ecx ; trend_req_num 6574171F call eax ; call handler The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'. - --[ Vulnerability One A subcode value of either 0x0011 or 0x0017 results in the following call: 65674D7F push ebx ; overflow_str 65674D80 call CMON_NetTestConnection A stack overflow occurs within the routine CMON_NetTestConnection() due to an unbounded widechar wsprintf() into a 44 byte stack based buffer as shown in the following relevant excerpt: 65634AC5 xor ecx, ecx 65634AC7 lea edx, [esp+65Ch+Name] ; 44 byte stack buffer 65634ACB mov cx, [eax] 65634ACE push ecx 65634ACF push ebx ; 1st arg 65634AD0 push offset str_SC ; "\\\\%s\\%c$" 65634AD5 push edx ; LPWSTR 65634AD6 call ds:wsprintfW ; vuln! - --[ Vulnerability Two A subcode value of either 0x0008 or 0x0009 results in calls to CMON_ActiveUpdate() and CMON_ActiveRollback() respectively. Both of these routines subsequently call StCommon.65631220() which can result in a stack overflow due to an unbounded widechar lstrcat() into a 2k stack-based buffer as shown in the following relevant excerpt: 65631311 lea edx, [esp+0A78h+buf] 65631318 push ebp ; lpString2 65631319 push edx ; lpString1 6563131A call ebx ; lstrcatW ; stack overflow The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user. - -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 - -- Disclosure Timeline: 2007.01.16 - Digital Vaccine released to TippingPoint customers 2007.01.19 - Vulnerability reported to vendor 2007.02.20 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-07-02.html February 20, 2007 - -- CVE ID: CVE-2007-1070 - -- Affected Vendor: Trend Micro - -- Affected Products: ServerProtect for Windows 5.58 ServerProtect for EMC 5.58 ServerProtect for Network Appliance Filer 5.61 ServerProtect for Network Appliance Filer 5.62 - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com - -- Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities. The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information: // opcode: 0x00, address: 0x65741030 // uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c // version: 1.0 error_status_t rpc_opnum_0 ( [in] handle_t arg_1, [in] long trend_req_num, [in][size_is(arg_4)] byte overflow_str[], [in] long arg_4, [out][size_is(arg_6)] byte arg_5[], [in] long arg_6 ); The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine: 657416E6 mov eax, opnum0_call_table[eax*4] 657416ED test eax, eax 657416EF jnz short loc_65741707 ... 65741707 loc_65741707: 65741707 mov [ebp+var_4], 0 6574170E mov edx, [ebp+sizeof_arg5] 65741711 push edx 65741712 mov edx, [ebp+arg5_array] 65741715 push edx 65741716 mov edx, [ebp+sizeof_overflow_str] 65741719 push edx 6574171A mov edx, [ebp+overflow_str] 6574171D push edx 6574171E push ecx ; trend_req_num 6574171F call eax ; call handler The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'. - --[ Vulnerability One A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt: 61190FC7 lea edx, [esp+288h+szShortPath] 61190FCB push esi 61190FCC push edx 61190FCD call _wcscpy - --[ Vulnerability Two A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt: 6118A161 mov esi, [esp+780h+arg_0] 6118A168 lea eax, [esp+780h+var_778] 6118A16C push esi 6118A16D push eax 6118A16E call _wcscpy The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user. - -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290 - -- Disclosure Timeline: 2007.02.01 - Vulnerability reported to vendor 2007.01.16 - Digital Vaccine released to TippingPoint customers 2007.02.20 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRdvcnSh9+71yA2DNAQLQBQQAl8tKNpsqvN70fnY98xrqy8c9FPAr/6go 929NM6K0C7anF3sFqy+qIoK5UykAM/fqPHcB9OwDSH5SqrAkjYVjWG4dtYz4IvZY x32Xpoo9B+oOHyRCTOeYuzhv7Eh45glXlQkRj2G3ger03fRbnrp2GKYaNw5611eY 8yQ+a4yEYjc= =xe4N -----END PGP SIGNATURE-----